Saturday, April 9, 2016

Routing authentication - Thinking outside the box.


So it's been awhile since my last post, and while I could just blame work, really I hit a bit of a dry spell. Then I saw a topic show up on CLN that sparked my imagination. The topic was simple enough, which authentication method is better (specifically for EIGRP) MD5 or SHA? Now I can feel your twitchy fingers from here. You want to comment in all caps, bold letters "SHA IS BETTER!!!!" Calm down. Deep breathes. I felt the exact same way, until I read the question a little more thoroughly. Well, while the short answer is yes 'SHA is better than MD5', however you can't use rotating keys (yet) with SHA. Yeah, SHA1 is 160-bit hash vs. MD5's 128-bit (EIGRP named mode actually supports sha256). And let's not forget, even with just SHA1, there's no example of a successful collision attack that I'm aware of.

So, definitely SHA is better right? If you want to use rotating keys with a keyring, as of this post you still need to use MD5. Bummer. This got me thinking though, why can't we do better than sha256. In a non-realistic, totally lab only scenario, how could we make EIGRP traffic basically bulletproof?





Don't read beyond this line, test your creative problem solving skills. If required by a task (real world or lab), how would you improve EIGRP security beyond sha256?






Before I go into how I tackled this hypothetical task, let me first say... there are a few different ways you could interpret that objective, and even more ways you could attempt to solve it. Seeing as I wrote the task, the way I interpret it is 'We need better encryption, and a higher degree of data integrity than what sha256 alone can provide.' Which is totally insane, I mean... protecting EIGRP traffic is important, but c'mon. Even still, this is what I came up with. IKEv2/IPsec to secure only EIGRP traffic. Think about the options you have here. Not only do we have the option of a secure hash with up to sha512, but we also can leverage PFS AND encrypt eigrp datagrams. Let's take a look at some config:

All Routers


crypto ikev2 proposal 100 
 encryption aes-cbc-256
 integrity sha512
 group 21
crypto ikev2 policy policy100 
 match fvrf any
 proposal 100
crypto ikev2 keyring EIGRP_RING
 peer EIGRP_PEERS
  address 10.0.123.0 255.255.255.0
  pre-shared-key cisco123
 !
crypto ikev2 profile profile100
 match fvrf any
 match identity remote address 10.0.123.0 255.255.255.0 
 authentication local pre-share
 authentication remote pre-share
 keyring local EIGRP_RING
crypto ipsec transform-set ESP-AES256 esp-aes 256 esp-sha512-hmac 
 mode transport


R1

ip access-list extended EIGRP_R2
 permit eigrp host 10.0.123.1 host 10.0.123.2
ip access-list extended EIGRP_R3

 permit eigrp host 10.0.123.1 host 10.0.123.3
!
crypto map EIGRP 1 ipsec-isakmp 
 set peer 10.0.123.2
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R2
!
crypto map EIGRP 2 ipsec-isakmp 
 set peer 10.0.123.3
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R3
!
interface GigabitEthernet2
 ip address 10.0.123.1 255.255.255.0
 negotiation auto
 crypto map EIGRP

R2

ip access-list extended EIGRP_R1
 permit eigrp host 10.0.123.2 host 10.0.123.1
ip access-list extended EIGRP_R3

 permit eigrp host 10.0.123.2 host 10.0.123.3
!
crypto map EIGRP 1 ipsec-isakmp 
 set peer 10.0.123.1
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R1
crypto map EIGRP 2 ipsec-isakmp 
 set peer 10.0.123.3
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R3
!
interface GigabitEthernet2
 ip address 10.0.123.2 255.255.255.0
 negotiation auto
 crypto map EIGRP


R3

ip access-list extended EIGRP_R1
 permit eigrp host 10.0.123.3 host 10.0.123.1
ip access-list extended EIGRP_R2

 permit eigrp host 10.0.123.3 host 10.0.123.2
!
crypto map EIGRP 1 ipsec-isakmp 
 set peer 10.0.123.1
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R1
crypto map EIGRP 2 ipsec-isakmp 
 set peer 10.0.123.2
 set transform-set ESP-AES256 
 set pfs group21
 set ikev2-profile profile100
 match address EIGRP_R2
!
interface GigabitEthernet2
 ip address 10.0.123.3 255.255.255.0
 negotiation auto
 crypto map EIGRP

So that's your basic IKEv2 IPsec configuration, using EIGRP as the only interesting traffic. The next thing we're going to need to make this happen is static EIGRP neighbors. I'm still tinkering around, trying to figure out how to make this a little more graceful (GETVPN would at least help with the crypto maps). For now, let's just add the following:

router eigrp IPSEC
 !
 address-family ipv4 unicast autonomous-system 47884
  !
  topology base
  exit-af-topology
  neighbor 10.0.123.1 GigabitEthernet2
  neighbor 10.0.123.2 GigabitEthernet2
  neighbor 10.0.123.3 GigabitEthernet2
  network 10.0.0.0

 exit-address-family


Now finally, some verification. I should note, loopback interfaces are 10.x.x.x where 'x' is the router number.

R1#show ip eigrp neighbors              
EIGRP-IPv4 VR(IPSEC) Address-Family Neighbors for AS(47884)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.0.123.2              Gi2                      14 07:57:58    5   100  0  14
1   10.0.123.3              Gi2                      10 21:16:19    5   100  0  11

R1#show ip route eigrp | b ^Gateway     
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.2.2.2/32 [90/10880] via 10.0.123.2, 07:58:37, GigabitEthernet2
D        10.3.3.3/32 [90/10880] via 10.0.123.3, 21:16:59, GigabitEthernet2

R1#show crypto ikev2 sa                 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
3         10.0.123.1/500        10.0.123.3/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/76592 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         10.0.123.1/500        10.0.123.2/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/76641 sec

R1#show crypto ipsec sa | i remote|encap
   remote ident (addr/mask/prot/port): (10.0.123.3/255.255.255.255/88/0)
    #pkts encaps: 16566, #pkts encrypt: 16566, #pkts digest: 16566
     local crypto endpt.: 10.0.123.1, remote crypto endpt.: 10.0.123.3
   remote ident (addr/mask/prot/port): (10.0.123.2/255.255.255.255/88/0)
    #pkts encaps: 16579, #pkts encrypt: 16579, #pkts digest: 16579

     local crypto endpt.: 10.0.123.1, remote crypto endpt.: 10.0.123.2



So that's it gang! A different, albeit impractical, approach to securing your routing process. I'll probably do a short video on this configuration (if for no other reason than to demo a quick IKEv2 configuration). I'll update this post with that video when I do.

No comments:

Post a Comment